The future of ransomware protection

Ransomware has not diminished as a major cybersecurity threat facing all industries. In the industry, 75% of organizations have been affected by ransomware more than once in the past 12 months, up from 61% in 2023. according to a new report from SpyCloud. Unfortunately, even with increased awareness of the costs and consequences, the insurance sector is not immune to attack by cybercriminals.

There are strong indications that insurance organizations are six times more likely to be targeted by ransomware than other industries this year by criminals using primary access malware. Of all those surveyed, this industry was by far the most at risk of future attacks.

The attractiveness of insurers to cybercriminals

Ransomware continues to be quite a profitable venture for most operators. Average The cost of the ransomware attack is now $4.91 millionaccording to an IBM report. In the past year alone, a staggering 62% of affected organizations reported that they made payments to recover data – a significant jump from 48% a year earlier.

Given the primary role insurance companies play in responding to cyber incidents, they have a wealth of highly sensitive information about their customers and often even have information about their customers’ security. This type of information, combined with the insurance industry’s huge revenues, has created enough incentive for attackers to target insurance companies for malware infections and subsequent ransom attempts.

The cycle begins with malware detection

To understand the cycle of cybercrime, and especially ransomware, you need to look at the data used to launch an attack. Events that every organization should be concerned about are happening outside of standard cybersecurity controls, deep in the criminal underground. In this underground ecosystem, there is a growing number of specialized criminal products and services to combat cybercrime, with the marketing of compromised digital identities as a primary attack vector.

One such product that is gaining in popularity is information-stealing malware (or “infostealers”). According to a SpyCloud report, 95% of CIOs, managers and their team leaders are most concerned about malware-infected devices being used for more malicious attacks such as ransomware. One-third of ransomware victims experienced at least one ransomware infection in the 16-week period prior to the attack, a strong red flag.

Attackers use data collected by information thieves to infiltrate computers and steal login credentials, session cookies, personally identifiable information (PII), and authentication data. They view this data, selling critical access to specialized brokers or using it themselves to gain unauthorized access to carry out ransomware attacks and data leaks.

With credentials at hand, a growing number of unskilled cybercriminals can easily hijack a user’s session, bypass advanced authentication controls (including MFA and passwordless authentication), initiate account hijacking (ATO), and gain access that allows them to launch malicious attacks, e.g. ransomware.

Reassessment of priorities

Despite growing concern about the threat of information thieves, organizations still have significant gaps in their ability to counter the exposure of identity data associated with malware. Traditional anti-malware protection, which focuses only on the infected device, continues to prove that it is not fully effective.

To more comprehensively remediate the opportunities created by data stolen by information thieves and prevent ransomware attacks, security teams and their fraud prevention colleagues must focus on digital identity.

The Future of Ransomware Protection: The Battle Ahead

To prevent cybercriminals from obtaining valuable identity information, such as credentials, to successfully launch attacks and profit from stolen data, there are five strategies we recommend insurance companies implement to gain an advantage:

1. Adopt an identity-centric approach to security

With digital identities now firmly in the sights of cybercriminals, relying on old defense tactics like device-centric patching is inevitable. Staying ahead of ransomware players is an achievable goal when insurance companies act on the full scope of compromised identities of their users, whether employees, contractors or suppliers.

2. Illuminate the entire attack surface

SpyCloud found that third-party unauthorized access is the second most risky entry point for ransomware. By improving visibility into data stolen by malware, including unmanaged and third-party devices outside of traditional corporate oversight, security teams will have more comprehensive coverage and detect exploits faster. From here, organizations can significantly reduce remediation time by addressing credentials associated with third-party applications such as single sign-on (SSO), code stores, payroll systems, VPNs, or remote access portals.

3. Use automation to speed detection and mitigation

We know cybercriminals use automation, but as they get faster, so can we. Using automated and incident alerts for new breaches and malware infections, insurers can act on data more quickly and feed it into automated remediation workflows to mitigate their impact.

4. Expand ATO prevention to address both traditional and next-generation threats

In addition to hardening credentials to block traditional ATOs, insurance security teams should focus on preventing session theft by programmatically monitoring stolen web sessions and then implementing processes to invalidate web sessions associated with compromised credentials. Think of it as changing the locks before anyone can get in.

5. Take a continuous, zero-trust approach

According to a SpyCloud survey, only 37% of organizations plan to prioritize implementing or improving a zero-trust model in the near future. As it becomes widely accepted, continuing to invest in continuous zero trust can go a long way in helping insurers account for the full amount of identity, device and access information that criminals have about employees. By continuously verifying each user’s identity for compromise when accessing corporate applications, companies can stay ahead of costly attacks and prevent unauthorized access.
Moving forward despite constant threats

By implementing the five strategies above, insurance companies can better focus resources to achieve a more comprehensive response to malware and thus protect the company from account hijacking, fraud, and prohibitively expensive ransomware attacks.